“Human element makes total defense against cyberattacks impossible”

Recently, the international press has not stopped publishing articles about the latest wave of cybersecurity breaches. Last week, the computer security giant McAfee published a report detailing 72 compromised security networks, including U.S. governmental agencies and the UN. This past Saturday, the hacker-activist group LulzSec released delicate information hacked from U.S. law-enforcement offices in response to the arrest of their supposed spoke-person. We ask Juraj Sarinay, doctoral student at EPFL’s Laboratory for Cryptologic Algorithms and researcher in network security, about these recent cyberattacks.

EPFLNews: How is it possible that the United Nations did not detect the security breaches in their network, present since 2009?

JS: This is not at all surprising. If malicious software (or malware) is properly crafted, it can be impossible to detect. The simple fact that it was found shows that it was a poorly scripted intrusion–this type of software is discovered in networks every day. The majority of these malware attacks come in the form of malicious messages in the form of e-mails; where a more or less well-crafted message appearing to come from a trusted source contains a link to malware. The person usually breaks with company protocol by clicking on the link, introducing a foreign element into the computer. Once a single computer is hacked it is almost impossible to discover, and the intruder gradually increases access to the network. The difficult part for the hacker is getting the information back out of the network, and if this process is well hidden it can take years to discover.

EPFLNews: If malicious messaging is one of the most common ways to introduce malware, what is one of the more surprising ways of breaching cybersecurity?

JS: Besides malicious messages, another common way to introduce malware into a system is to exploit its bugs, which is why it is important to constantly update system and application software. But since bugs exist in every system, someone may find a bug that no one else knows is out there. An unknown bug can be exploited many times until it is discovered and patched. The more widely it is exploited, the sooner it gets fixed. If you want to target someone big, better use a "fresh" bug. That is why someone wishing to launch an attack on a specifically important target, such information is worth money and could be sold on the black market to mal-intentioned parties.

EPFLNews: What is the technology needed to carry out these various types of cyber attacks?

JS: Complicated technology is not needed for most types of attacks--at most, a fast internet connection is preferable. Furthermore, most malware code is public and an attacker does not necessarily need to be the greatest writer of code—they normally are not. From my viewpoint it is not extremely hard, on the other hand it is not completely trivial and there is some effort involved. In general, the methods used by the attackers are reasonably stable over time and reasonably well understood. They need luck and a little social engineering--these are more techniques than technology. Basic social engineering is needed to be able to craft efficient malicious e-mails: convincing language, knowledge of the institution, etc. For higher-level targets, an attacker needs more luck, more knowledge and maybe some more insight into the company, but he or she doesn’t need secret technology or even a great computer. For this reason it is the human element that makes it theoretically impossible to totally defend from attacks.